BCLPSecCorpGov.com

Disclosure Controls and Procedures – Not Just a Quarterly Certification

Disclosure Controls and Procedures – Not Just a Quarterly Certification

Jun 16, 2021
Download PDFDownload PDF
Print
Share

On June 15, 2021, the SEC announced that it had settled charges against First American Financial Corporation for failures in First American’s disclosure controls and procedures.  Rule 13a-15(a) under the Exchange Act requires issuers to maintain disclosure controls and procedures designed to ensure that information required to be disclosed by an issuer in reports it files or submits under the Exchange Act is recorded, processed, summarized and reported within the time periods specified in the SEC’s rules and forms. 

According to the SEC’s order, in May 2019, company management learned from a journalist that the company was experiencing a cybersecurity vulnerability that had resulted in the inadvertent public availability of customers’ personal data.  First American responded by issuing a statement to the press explaining that the company had learned of a design defect that had resulted in “possible unauthorized access to customer data” and had taken “immediate action to address the situation and shut down external access” to the data.  A few days later, First American issued a press release that was also furnished on Form 8-K.  In the release, the company reported that there was “[n]o preliminary indication of large-scale unauthorized access to customer information.”

Contrary to these disclosures, the SEC found that the vulnerability had exposed sensitive personal data, including social security numbers, in over 800 million images of customer documents for a period dating back to as early as 2003.  The SEC also found that the senior executives of the company who were responsible for the May 2019 disclosures were, when approving such disclosures, lacking certain information necessary for them to assess the magnitude of the risk, as well as First American’s response to the risk.  In particular, the SEC determined that management did not know that the company’s information security personnel had identified the vulnerability several months earlier and had not remediated it as required by the company’s “vulnerability remediation management” policies.    

Based on this conduct, the SEC found that First American failed to maintain disclosure controls and procedures designed to ensure that all available, relevant information concerning the company’s cybersecurity vulnerability was analyzed by management in connection with the company’s filings with the SEC.  Without admitting or denying the SEC’s findings, First American agreed to a cease-and-desist order and to pay a $487,616 penalty.  The chief of the SEC Enforcement Division’s Cyber Unit noted that “[i]issuers must ensure that information important to investors is reported up the corporate ladder to those responsible for disclosures.”

Related Practice Areas

  • Securities & Corporate Governance

Meet The Team

This material is not comprehensive, is for informational purposes only, and is not legal advice. Your use or receipt of this material does not create an attorney-client relationship between us. If you require legal advice, you should consult an attorney regarding your particular circumstances. The choice of a lawyer is an important decision and should not be based solely upon advertisements. This material may be “Attorney Advertising” under the ethics and professional rules of certain jurisdictions. For advertising purposes, St. Louis, Missouri, is designated BCLP’s principal office and Kathrine Dixon (kathrine.dixon@bclplaw.com) as the responsible attorney.